forked from extern/shorewall_code
Bring forward some changes from 2.0.8; Improve error messages; Implement STARTUP_ENABLED
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
502a00cc26
commit
d8a733aac0
@ -14,23 +14,12 @@ Changes since 2.0.3
|
|||||||
|
|
||||||
7) Add PKTTYPE option.
|
7) Add PKTTYPE option.
|
||||||
|
|
||||||
firewall
|
|
||||||
shorewall.conf
|
|
||||||
|
|
||||||
8) Enhancements to /etc/shorewall/masq
|
8) Enhancements to /etc/shorewall/masq
|
||||||
|
|
||||||
masq
|
|
||||||
firewall
|
|
||||||
|
|
||||||
8) Allow overriding ADD_IP_ALIASES=Yes
|
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||||
|
|
||||||
nat
|
|
||||||
firewall
|
|
||||||
|
|
||||||
9) Fix syntax error in setup_nat()
|
9) Fix syntax error in setup_nat()
|
||||||
|
|
||||||
firewall
|
|
||||||
|
|
||||||
10) Port "shorewall status" changes from 2.0.7.
|
10) Port "shorewall status" changes from 2.0.7.
|
||||||
|
|
||||||
11) All config files are now empty.
|
11) All config files are now empty.
|
||||||
@ -39,3 +28,7 @@ Changes since 2.0.3
|
|||||||
|
|
||||||
13) Pass rule chain and display chain separately to log_rule_limit.
|
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||||
Prep work for action logging.
|
Prep work for action logging.
|
||||||
|
|
||||||
|
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||||
|
|
||||||
|
15) Implement STARTUP_ENABLED.
|
||||||
|
@ -156,7 +156,11 @@ run_iptables() {
|
|||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
|
||||||
if ! iptables $@ ; then
|
if ! iptables $@ ; then
|
||||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
if [ -z "$stopping" ]; then
|
||||||
|
error_message "ERROR: Command \"$@\" Failed"
|
||||||
|
stop_firewall
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -183,7 +187,11 @@ run_iptables2() {
|
|||||||
#
|
#
|
||||||
run_ip() {
|
run_ip() {
|
||||||
if ! ip $@ ; then
|
if ! ip $@ ; then
|
||||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
if [ -z "$stopping" ]; then
|
||||||
|
error_message "ERROR: Command \"$@\" Failed"
|
||||||
|
stop_firewall
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -192,7 +200,11 @@ run_ip() {
|
|||||||
#
|
#
|
||||||
run_tc() {
|
run_tc() {
|
||||||
if ! tc $@ ; then
|
if ! tc $@ ; then
|
||||||
[ -z "$stopping" ] && { stop_firewall; exit 2; }
|
if [ -z "$stopping" ]; then
|
||||||
|
error_message "ERROR: Command \"$@\" Failed"
|
||||||
|
stop_firewall
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2784,7 +2796,7 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
|
|||||||
|
|
||||||
[ "$COMMAND" != check ] && \
|
[ "$COMMAND" != check ] && \
|
||||||
while havechain %${CHAIN}${actchain}; do
|
while havechain %${CHAIN}${actchain}; do
|
||||||
actchain=$((${actchain-0} + 1))
|
actchain=$(($actchain + 1))
|
||||||
[ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8)
|
[ $actchain -eq 10 -a ${#CHAIN} -eq 9 ] && CHAIN=$(echo $CHAIN | cut -b -8)
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -2865,6 +2877,9 @@ find_logactionchain() # $1 = Action, including log level and tag if any
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# This function determines the logging for a subordinate action or a rule within a subordinate action
|
||||||
|
#
|
||||||
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
merge_levels() # $1=level at which superior action is called, $2=level at which the subordinate rule is called
|
||||||
{
|
{
|
||||||
local superior=$1 subordinate=$2
|
local superior=$1 subordinate=$2
|
||||||
@ -2926,12 +2941,32 @@ merge_levels() # $1=level at which superior action is called, $2=level at which
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Read /etc/shorewall/actions and /usr/share/shorewall/actions.std and for each defined <action>, pre-process
|
# The next two functions implement the two phases of action processing.
|
||||||
# /etc/shorewall/action.<action>
|
#
|
||||||
|
# The first phase (process_actions1) occurs before the rules file is processed. /usr/share/shorewall/actions.std
|
||||||
|
# and /etc/shorewall/actions are scanned (in that order) and for each action:
|
||||||
|
#
|
||||||
|
# a) The related action definition file is located and scanned.
|
||||||
|
# b) Forward and unresolved action references are trapped as errors.
|
||||||
|
# c) A dependency graph is created. For each <action>, the variable 'requiredby_<action>' lists the
|
||||||
|
# action[:level[:tag]] of each action invoked by <action>.
|
||||||
|
# d) All actions are listed in the global variable ACTIONS.
|
||||||
|
# e) Common actions are recorded (in variables of the name <policy>_common) and are added to the global
|
||||||
|
# USEDACTIONS list and their action chain is created.
|
||||||
|
#
|
||||||
|
# As the rules file is scanned, each action[:level[:tag]] is merged onto the USEDACTIONS list. When an <action>
|
||||||
|
# is merged onto this list, its action chain is created. Where logging is specified, a chain with the name
|
||||||
|
# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
|
||||||
|
# length of the chain name does not exceed 11 characters.
|
||||||
|
#
|
||||||
|
# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
|
||||||
|
# USEDACTIONS is generated; again, as new actions are merged onto this list, their action chains are created.
|
||||||
|
#
|
||||||
|
# The final step is to traverse the USEDACTIONS list populating each chain appropriately by reading the
|
||||||
|
# action definition files and creating rules. Note that a given action definition file is processed once for
|
||||||
|
# each unique [:level[:tag]] applied to an invocation of the action.
|
||||||
#
|
#
|
||||||
|
|
||||||
process_actions1() {
|
process_actions1() {
|
||||||
|
|
||||||
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn dropInvalid"
|
||||||
@ -3003,53 +3038,8 @@ process_actions1() {
|
|||||||
done < $TMP_DIR/$inputfile
|
done < $TMP_DIR/$inputfile
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
#
|
|
||||||
# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
|
|
||||||
# process the associated action files.
|
|
||||||
#
|
|
||||||
process_actions2() {
|
process_actions2() {
|
||||||
#
|
|
||||||
# Process a rule where the source or destination is "all"
|
|
||||||
#
|
|
||||||
process_wildcard_rule() {
|
|
||||||
local yclients yservers ysourcezone ydestzone ypolicy
|
|
||||||
|
|
||||||
for yclients in $xclients; do
|
|
||||||
for yservers in $xservers; do
|
|
||||||
ysourcezone=${yclients%%:*}
|
|
||||||
ydestzone=${yservers%%:*}
|
|
||||||
if [ "${ysourcezone}" != "${ydestzone}" ] ; then
|
|
||||||
eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
|
|
||||||
if [ "$ypolicy" != NONE ] ; then
|
|
||||||
rule="$(echo $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
|
||||||
process_action $xchain $xaction1 $xaction2 $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
do_it() {
|
|
||||||
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
|
||||||
|
|
||||||
if [ "x$xclients" = xall ]; then
|
|
||||||
xclients="$zones $FW"
|
|
||||||
if [ "x$xservers" = xall ]; then
|
|
||||||
xservers="$zones $FW"
|
|
||||||
fi
|
|
||||||
process_wildcard_rule
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "x$xservers" = xall ]; then
|
|
||||||
xservers="$zones $FW"
|
|
||||||
process_wildcard_rule
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
|
||||||
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
|
||||||
}
|
|
||||||
|
|
||||||
drop_broadcasts() {
|
drop_broadcasts() {
|
||||||
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
|
||||||
@ -3065,9 +3055,7 @@ process_actions2() {
|
|||||||
run_iptables -A $xchain -d $address -j DROP
|
run_iptables -A $xchain -d $address -j DROP
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
#
|
|
||||||
# B O D Y S T A R T S H E R E
|
|
||||||
#
|
|
||||||
progress_message " Generating Transitive Closure of Used-action List..."
|
progress_message " Generating Transitive Closure of Used-action List..."
|
||||||
|
|
||||||
changed=Yes
|
changed=Yes
|
||||||
@ -3179,7 +3167,7 @@ process_actions2() {
|
|||||||
|
|
||||||
echo "Processing $fn for Chain $xchain..."
|
echo "Processing $fn for Chain $xchain..."
|
||||||
|
|
||||||
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
|
while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do
|
||||||
expandv xtarget
|
expandv xtarget
|
||||||
#
|
#
|
||||||
# Generate the target:level:tag to pass to process_action()
|
# Generate the target:level:tag to pass to process_action()
|
||||||
@ -3204,7 +3192,11 @@ process_actions2() {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
do_it
|
expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
|
||||||
|
|
||||||
|
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
|
||||||
|
process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
|
||||||
|
|
||||||
done < $TMP_DIR/$f
|
done < $TMP_DIR/$f
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -5819,10 +5811,11 @@ activate_rules()
|
|||||||
# Check for disabled startup
|
# Check for disabled startup
|
||||||
#
|
#
|
||||||
check_disabled_startup() {
|
check_disabled_startup() {
|
||||||
if [ -f /etc/shorewall/startup_disabled ]; then
|
if [ -z "$STARTUP_ENABLED" ]; then
|
||||||
echo " Shorewall Startup is disabled -- to enable startup"
|
echo " Shorewall Startup is disabled -- to enable startup"
|
||||||
echo " after you have completed Shorewall configuration,"
|
echo " after you have completed Shorewall configuration,"
|
||||||
echo " remove the file /etc/shorewall/startup_disabled"
|
echo " change the setting of STARTUP_ENABLED to Yes in"
|
||||||
|
echo " /etc/shorewall/shorewall.conf"
|
||||||
|
|
||||||
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
[ -n "$TMP_DIR" ] && rm -rf $TMP_DIR
|
||||||
my_mutex_off
|
my_mutex_off
|
||||||
@ -6509,6 +6502,7 @@ do_initialize() {
|
|||||||
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
|
||||||
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
|
||||||
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
|
||||||
|
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Strip the files that we use often
|
# Strip the files that we use often
|
||||||
|
@ -551,7 +551,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
|||||||
if insserv /etc/init.d/shorewall ; then
|
if insserv /etc/init.d/shorewall ; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically at boot"
|
echo "shorewall will start automatically at boot"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
@ -559,7 +559,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
|||||||
if chkconfig --add shorewall ; then
|
if chkconfig --add shorewall ; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically in run levels as follows:"
|
echo "shorewall will start automatically in run levels as follows:"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
chkconfig --list shorewall
|
chkconfig --list shorewall
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
@ -568,18 +568,13 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
|
|||||||
if rc-update add shorewall default; then
|
if rc-update add shorewall default; then
|
||||||
echo
|
echo
|
||||||
echo "shorewall will start automatically at boot"
|
echo "shorewall will start automatically at boot"
|
||||||
echo "Remove /etc/shorewall/startup_disabled in /etc/default/shorewall to enable"
|
echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
|
||||||
else
|
else
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
|
||||||
cant_autostart
|
cant_autostart
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo \
|
|
||||||
"########################################################################
|
|
||||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
|
||||||
########################################################################" > /etc/shorewall/startup_disabled
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -161,3 +161,14 @@ New Features:
|
|||||||
$LEVEL="info"
|
$LEVEL="info"
|
||||||
$TAG="test"
|
$TAG="test"
|
||||||
|
|
||||||
|
6) The /etc/shorewall/startup_disabled file is no longer created when
|
||||||
|
Shorewall is first installed. Rather, the variable STARTUP_ENABLED
|
||||||
|
is set to 'No' in /etc/shorewall/shorewall.conf. In order to get
|
||||||
|
Shorewall to start, that variable's value must be set to
|
||||||
|
'Yes'. This change accomplishes two things:
|
||||||
|
|
||||||
|
a) It prevents Shorewall from being started prematurely by the
|
||||||
|
user's initialization scripts.
|
||||||
|
|
||||||
|
b) It causes /etc/shorewall/shorewall.conf to be modified so that
|
||||||
|
it won't be replaced by upgrades using RPM.
|
||||||
|
@ -7,6 +7,14 @@
|
|||||||
# This file should be placed in /etc/shorewall
|
# This file should be placed in /etc/shorewall
|
||||||
#
|
#
|
||||||
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
# (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
|
||||||
|
##############################################################################
|
||||||
|
# S T A R T U P E N A B L E D
|
||||||
|
##############################################################################
|
||||||
|
# Once you have configured Shorewall, you may change the setting of
|
||||||
|
# this variable to 'Yes'
|
||||||
|
|
||||||
|
STARTUP_ENABLED=No
|
||||||
|
|
||||||
##############################################################################
|
##############################################################################
|
||||||
# L O G G I N G
|
# L O G G I N G
|
||||||
##############################################################################
|
##############################################################################
|
||||||
|
@ -40,20 +40,6 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
%post
|
%post
|
||||||
|
|
||||||
if [ $1 -eq 1 ]; then
|
|
||||||
echo \
|
|
||||||
"########################################################################
|
|
||||||
# REMOVE THIS FILE AFTER YOU HAVE CONFIGURED SHOREWALL #
|
|
||||||
########################################################################" \
|
|
||||||
> /etc/shorewall/startup_disabled
|
|
||||||
|
|
||||||
if [ -x /sbin/insserv ]; then
|
|
||||||
/sbin/insserv /etc/rc.d/shorewall
|
|
||||||
elif [ -x /sbin/chkconfig ]; then
|
|
||||||
/sbin/chkconfig --add shorewall;
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
|
|
||||||
if [ $1 = 0 ]; then
|
if [ $1 = 0 ]; then
|
||||||
@ -141,6 +127,8 @@ fi
|
|||||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 02 2004 Tom Eastep tom@shorewall.net
|
||||||
|
- Remove startup_disabled.
|
||||||
* Thu Jul 29 2004 Tom Eastep tom@shorewall.net
|
* Thu Jul 29 2004 Tom Eastep tom@shorewall.net
|
||||||
- Updated to 2.1.2-1
|
- Updated to 2.1.2-1
|
||||||
* Mon Jul 12 2004 Tom Eastep tom@shorewall.net
|
* Mon Jul 12 2004 Tom Eastep tom@shorewall.net
|
||||||
|
Loading…
Reference in New Issue
Block a user